Despite doomsaying, the Net will survive

Strikes by malicious hackers continued to proliferate today, inspiring a level of Internet doomsaying not heard since the peak of millennium-bug mania last year.

Although outages resulting from this week's attacks will have a quantifiable commercial impact on their victims, those within the high-tech industry and beyond say the Web as a whole will suffer no lasting damage. Two key reasons for that assessment are the relatively brief duration of these assaults and the fact that they do not destroy data.

"The bottom line is there's no long-term effect
here," said Charles Rutstein, senior analyst at Forrester Research. "There's no impact on consumer confidence and no impact on the interest that companies have in doing business online The financial effect here is going to be small."

In a "distributed denial of service" (DoS) strike, as this week's incidents have been called, attackers break into hundreds or even thousands of computers around the Net and install a kind of time bomb that is difficult to detect. At a later date, the attacker can send a command to all of the "slave" machines, which wake up and start firing streams of information that clog their targets' networks.

While obviously disruptive, these actions only cause delays in site accessibility--making them far less damaging than other forms of cyberterrorism, such as a virus that destroys, manipulates or exposes programs and sensitive information on a wide scale.

"It's not affecting anything about the privacy of the information or the integrity of the information," said Mike Higgins, president of Para-Protect, a network security firm.

Jed Pickel, technical coordinator at CERT, the software engineering
institute at Carnegie Mellon University, said in an advisory today that the
group has received a normal number of incident reports during the week,
despite the high-profile attacks. He said the institute typically receives 30 incident reports daily, of which three to four concern denial of service assaults.

Still, most security experts agreed that such attacks can be expected to continue, especially by someone bearing a grudge against a particular company or those simply seeking the thrill of notoriety generated by this week's incidents.

In apparent anticipation of that, shares in network security firms rose sharply today on fears that
e-commerce companies may be held hostage by DoS saboteurs. Echoing concerns raised by other security experts, Reliable Software's Gary McGraw said this week's incidents take the problem "well beyond a nuisance issue."

Dorothy Denning, a computer science professor at Georgetown University in Washington, said the apparent nature of the attacks and the architecture of the Net make it nearly impossible to guarantee that such attacks won't bring down sites in the future. But she said the ability of sites such as Yahoo to come back online relatively quickly should be seen as a sign that DoS attacks are more of a nuisance than a major threat.

"Here in Washington, a snowstorm causes more damage," she said.

Those who were shut down by the attacks, however, were hardly so cavalier.

Outages have been reported at several top commercial Web sites, including Yahoo and Amazon, all of which said the attacks froze their networks with a glut of empty traffic. A sober assessment of the damage has been slow in coming, with victims refusing to comment on estimated dollar losses as a result of outages.

Based on Amazon's average hourly revenues last year, however, the company
would have lost about $561,643 during its three-hour outage. That rough
calculus does not take into consideration intangibles such as customer
acquisition and loyalty, which could affect long-term sales. In addition,
companies that rely primarily on advertising likely would be affected
differently from e-commerce companies.

Rather than hurting firms heavily at the bottom line, security experts said
such attacks have a more subtle effect. "The e-commerce impact is a confidence issue to the consumer," Higgins said.

Analysts said companies hit by attacks might suffer from an erosion of
customer loyalty. Even on that level, however, companies with established
brands like most of those hit this week are less likely to suffer long-term
adverse effects from temporary site inaccessibility than newcomers would.

"If I go to a Web site and it's not available, and if I'm a former
customer, I'll realize it's a temporary glitch and I'll come back,"
Forrester's Rutstein said. "But if I go there for the first time and the
site is down, I most likely will not come back.

"Companies that are in a customer acquisition mode, like Buy.com, are far
more affected because so many of their customers are new customers," he
added. "Other companies like Amazon, many of whose visitors are
long-standing customers, are less affected financially."

Even when these setbacks are taken into account, however, few paint a bleak picture for e-commerce or Internet growth in the long run.

Fred Cohen, a principal member of the technical staff at the Department of
Energy's Sandia National Laboratories,
who has written extensively on computer viruses and DoS attacks, said this
week's incidents primarily reflect a lax attitude toward security by new
Internet companies.

"The knowledge has existed for some time about how to design and operate a
network that can defeat these kinds of attacks with assurance," he said.
"But the knowledge base isn't generally being learned. The focus among
(Internet start-ups) has been to get something out quickly rather than to
do it well."

Others said this week's attacks are simply part of the ongoing effort to
create a more stable and reliable environment online--a process that likely
will never be finished.

"I view it along the lines of viruses," said David Schatsky, an analyst
with Jupiter Communications. "It represents a new challenge, but it is
essentially a technological problem that can be addressed by a
technological solution. It's difficult to stay on top of every new form,
but each variation is only a short-term hiccup."